3. SQL Injection

$id isn’t escaped, so we can set $id to a value that starts a new query

– End the old query early, and start a new query
– Comment out the rest of the old queryExample: Dropping a table

insecure.php?id=‘; DROP TABLE users;–
– “SELECT * FROM table WHERE id=’DROP TABLE users;–
– ”; Ends the original query. We can start a new one
– DROP TABLE users; Execute a new query.
– –‘;Comment out the leftover from the original.

Example: Bypassing a login:

In the password field: ‘OR 1=1;–‘

“SELECT * FROM users WHERE uname=’$user’ AND pass=’$pass’;

1

-"SELECT *FROM users WHERE uname='$user'ANDpass=''OR1=1;--'

=> While the (uname AND pass) conditions will fail, 1=1 will always succeed!
We’ve already discussed a solution: escape all of the special characters in strings before using them